Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/streamlit@0.63.0
Typepypi
Namespace
Namestreamlit
Version0.63.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.37.0
Latest_non_vulnerable_version1.37.0
Affected_by_vulnerabilities
0
url VCID-2m1a-hkg5-ubfe
vulnerability_id VCID-2m1a-hkg5-ubfe
summary 
Minor fix to previous patch for CVE-2022-35918
### Impact

The initial vulnerability identified in Streamlit apps using custom components, allowing for directory traversal attacks, was addressed in version 1.11.1. However, a minor issue persisted, which could still potentially expose certain files on the server file-system under specific conditions.

### Patches

We released an update in version 1.30.0 to further tighten security measures. Users are strongly advised to update to version 1.30.0 immediately for optimal security.

### Workarounds

No additional workarounds are necessary once the update to version 1.30.0 is applied.

### For more information

If you have any questions or comments about this advisory:
* Email us at [security@streamlit.io](mailto:security@streamlit.io)
references
0
reference_url https://github.com/streamlit/streamlit/commit/bd0a8996c4c7ec55b9c6557e7b168b0c13a25b90
reference_id
reference_type
scores
url https://github.com/streamlit/streamlit/commit/bd0a8996c4c7ec55b9c6557e7b168b0c13a25b90
1
reference_url https://github.com/advisories/GHSA-8qw9-gf7w-42x5
reference_id GHSA-8qw9-gf7w-42x5
reference_type
scores
url https://github.com/advisories/GHSA-8qw9-gf7w-42x5
2
reference_url https://github.com/streamlit/streamlit/security/advisories/GHSA-8qw9-gf7w-42x5
reference_id GHSA-8qw9-gf7w-42x5
reference_type
scores
url https://github.com/streamlit/streamlit/security/advisories/GHSA-8qw9-gf7w-42x5
fixed_packages
0
url pkg:pypi/streamlit@1.30.0
purl pkg:pypi/streamlit@1.30.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-45nc-3ttz-hqcu
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/streamlit@1.30.0
aliases GHSA-8qw9-gf7w-42x5, GMS-2024-20
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2m1a-hkg5-ubfe
1
url VCID-45nc-3ttz-hqcu
vulnerability_id VCID-45nc-3ttz-hqcu
summary Streamlit is a data oriented application development framework for python. Snowflake Streamlit open source addressed a security vulnerability via the static file sharing feature. Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerability when the static file sharing feature is enabled. An attacker could utilize the vulnerability to leak the password hash of the Windows user running Streamlit. The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows.
references
0
reference_url https://github.com/streamlit/streamlit/commit/3a639859cfdfba2187c81897d44a3e33825eb0a3
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/streamlit/streamlit/commit/3a639859cfdfba2187c81897d44a3e33825eb0a3
1
reference_url https://github.com/streamlit/streamlit/security/advisories/GHSA-rxff-vr5r-8cj5
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/streamlit/streamlit/security/advisories/GHSA-rxff-vr5r-8cj5
fixed_packages
0
url pkg:pypi/streamlit@1.37.0
purl pkg:pypi/streamlit@1.37.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/streamlit@1.37.0
aliases CVE-2024-42474, GHSA-rxff-vr5r-8cj5, PYSEC-2024-153
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-45nc-3ttz-hqcu
2
url VCID-e2z5-m4r7-vyhb
vulnerability_id VCID-e2z5-m4r7-vyhb
summary Streamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file or overwrite existing files on the web-server. This issue has been resolved in version 1.11.1. Users are advised to upgrade. There are no known workarounds for this issue.
references
0
reference_url https://github.com/streamlit/streamlit/commit/80d9979d5f4a00217743d607078a1d867fad8acf
reference_id
reference_type
scores
url https://github.com/streamlit/streamlit/commit/80d9979d5f4a00217743d607078a1d867fad8acf
1
reference_url https://github.com/streamlit/streamlit/security/advisories/GHSA-v4hr-4jpx-56gc
reference_id
reference_type
scores
url https://github.com/streamlit/streamlit/security/advisories/GHSA-v4hr-4jpx-56gc
fixed_packages
0
url pkg:pypi/streamlit@1.11.1
purl pkg:pypi/streamlit@1.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-45nc-3ttz-hqcu
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/streamlit@1.11.1
aliases CVE-2022-35918, GHSA-v4hr-4jpx-56gc, PYSEC-2022-248
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e2z5-m4r7-vyhb
3
url VCID-nfvv-s6z5-cyej
vulnerability_id VCID-nfvv-s6z5-cyej
summary Streamlit, software for turning data scripts into web applications, had a cross-site scripting (XSS) vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit app(s) were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to a Streamlit app. The attacker could then trick the user into visiting the malicious URL and, if successful, the server would render the malicious javascript payload as-is, leading to XSS. Version 0.81.0 contains a patch for this vulnerability.
references
0
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/streamlit/PYSEC-2023-50.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/streamlit/PYSEC-2023-50.yaml
1
reference_url https://github.com/streamlit/streamlit
reference_id
reference_type
scores
url https://github.com/streamlit/streamlit
2
reference_url https://github.com/streamlit/streamlit/commit/afcf880c60e5d7538936cc2d9721b9e1bc02b075
reference_id
reference_type
scores
url https://github.com/streamlit/streamlit/commit/afcf880c60e5d7538936cc2d9721b9e1bc02b075
3
reference_url https://github.com/streamlit/streamlit/security/advisories/GHSA-9c6g-qpgj-rvxw
reference_id
reference_type
scores
url https://github.com/streamlit/streamlit/security/advisories/GHSA-9c6g-qpgj-rvxw
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-27494
reference_id CVE-2023-27494
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-27494
5
reference_url https://github.com/advisories/GHSA-9c6g-qpgj-rvxw
reference_id GHSA-9c6g-qpgj-rvxw
reference_type
scores
url https://github.com/advisories/GHSA-9c6g-qpgj-rvxw
fixed_packages
0
url pkg:pypi/streamlit@0.81.0
purl pkg:pypi/streamlit@0.81.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-45nc-3ttz-hqcu
1
vulnerability VCID-e2z5-m4r7-vyhb
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/streamlit@0.81.0
aliases CVE-2023-27494, GHSA-9c6g-qpgj-rvxw, PYSEC-2023-50
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nfvv-s6z5-cyej
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/streamlit@0.63.0